Critical flaw in Amadeus booking platform affected 141 airlines

An undiscovered flaw in an online booking system used by 141 airlines across the world could have allowed attackers to alter an airline manifest and steal air miles.

A major vulnerability in the Amadeus booking system used by 44% of the airline industry, including British Airways (BA) and Lufthansa, could have let a malicious actor assign seats and meal preferences, as well as change the personal details of passengers.

The issue, which is now fixed, was first identified by an Israeli security researcher Noam Rotem while he was booking a flight with the Isreali national carrier ELAL, according to a Safety Detective blog post.

When he received his flight booking reference, known in the industry as a PNR, he discovered he could change a specific element of the webpage, RULE_SOURCE_1_ID, to view any customers' PNR and gain access to the name and flight details.

With this information, he was able to login to the online portal and therefore make changes to a passenger's flight details, including email address and phone number, which could be used to cancel or change a flight reservation.

"Though the security breach requires knowledge of the PNR code, ELAL sends these codes via unencrypted email, and many people even share them on Facebook or Instagram," said Safety Detective's Paul Kane. "But that's just the tip of the iceberg."

"After running a small and non-threatening script to check for any brute-force protections, none of which were found, we were able to find PNRs of random customers, which included all of their personal information.

"We contacted ELAL immediately to point out the threat and prompt them to close the breach before it was discovered by anyone with malicious intentions."

Beyond reassigning air miles, this vulnerability could have posed a massive threat to nations' national security, with malicious actors theoretically able to change a flight manifest to broker unauthorised access to an aircraft.

"At Amadeus, we give security the highest priority and are constantly monitoring and updating our systems," a company spokesperson told IT Pro.

"We became alerted to an issue in one of our products and our technical teams took immediate action and as of January 16 the issue was fixed."

"We can confirm that Amadeus has not detected any data breach and that no data from travellers was disclosed. We regret any disruption this situation may have caused."

The spokesperson continued to suggest that because the industry works on common standards, including the PNR, any further improvements should include an industry-wide assessment of the standards themselves.

"Everything in the aviation ecosystem is interconnected, and therefore, vulnerable to cyber attacks," said Raytheon's vice president for support and modernisation Todd Probert.

"Whether it be a reservation system, as was the case for Amadeus, a major airline, aircraft, or a hotel chain accommodating frequent flyers, cybercriminals have a gamut of systems at their fingertips that are far too easy to crack.

"Just like with the Marriott breach last year, this hack provides foreign actors with the patterns of life of global political and business leaders, including who they travelled with, when and where. The aviation industry is built on trust. Preserving that trust requires layers upon layers of cybersecurity."

The aviation industry has faced its fair share of security threats in recent months, with the most notable victims comprising hundreds of thousands of BA passengers whose data was stolen in two breaches last year.

Similarly, a Chinese airline Cathay Pacific sustained a massive breach in which attackers made away with the personal information belonging to 9.4 million passengers, including names, nationalities, passport numbers and credit card numbers.